The detection identifies potential Cobalt Strike command and control activity through known IOCs, indicating an adversary may be establishing persistent remote access. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threats leveraging Cobalt Strike in their Azure Sentinel environment.
IOC Summary
Malware Family: Cobalt Strike Total IOCs: 7 IOC Types: ip:port, domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 204[.]194[.]54[.]198:53 | botnet_cc | 2026-06-22 | 75% |
| domain | ns2.msgkg.xyz | botnet_cc | 2026-06-22 | 75% |
| domain | ns1.msgkg.xyz | botnet_cc | 2026-06-22 | 75% |
| ip:port | 61[.]239[.]35[.]235:8443 | botnet_cc | 2026-06-22 | 100% |
| ip:port | 194[.]58[.]122[.]74:8443 | botnet_cc | 2026-06-22 | 91% |
| ip:port | 45[.]138[.]26[.]93:8443 | botnet_cc | 2026-06-22 | 100% |
| ip:port | 45[.]138[.]183[.]81:8443 | botnet_cc | 2026-06-22 | 80% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Cobalt Strike
let malicious_ips = dynamic(["194.58.122.74", "61.239.35.235", "45.138.183.81", "45.138.26.93", "204.194.54.198"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["194.58.122.74", "61.239.35.235", "45.138.183.81", "45.138.26.93", "204.194.54.198"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - Cobalt Strike
let malicious_domains = dynamic(["ns2.msgkg.xyz", "ns1.msgkg.xyz"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate Cobalt Strike Usage in Red Team Exercises
Description: Security teams may use Cobalt Strike as part of authorized red team simulations.
Filter/Exclusion: Check for presence of a redteam or authorized tag in the asset or user context, or filter by specific IP ranges reserved for internal red team infrastructure.
Scenario: Scheduled Job for Log Collection and Analysis
Description: A scheduled job may run hunting or loganalysis scripts that use Cobalt Strike binaries for data exfiltration or analysis.
Filter/Exclusion: Exclude processes initiated by a known log collection tool (e.g., Splunk, ELK Stack) or filter by process names like logcollector.sh or dataexfil.py.
Scenario: System Administration Task Involving Cobalt Strike
Description: An admin may use Cobalt Strike for incident response or forensic analysis.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges (e.g., root, admin, sysadmin) or filter by known admin tools like PowerShell, Wireshark, or tcpdump.
Scenario: Cobalt Strike Used for Internal Code Signing or Testing
Description: A development team may use Cobalt Strike for internal code signing or testing environments.
Filter/Exclusion: Exclude processes that occur within a known internal testing environment (e.g., dev, test, sandbox) or filter by specific directories like /opt/testenv/.
Scenario: Cobalt Strike Used for Internal Network Mapping or Discovery
Description: Network administrators may use Cobalt Strike for internal network mapping or vulnerability scanning.
Filter/Exclusion: Exclude processes that occur within a known network discovery tool (e.g., Nmap, Masscan)